I'm hoping to receive confirmation that an open-source steward will satisfy their EU-CRA obligations by providing the following artifacts, per product:
- An SBOM
- A living, online Vulnerability Disclosure Report (VDR)
- A Vendor Response Form containing additional product info, i.e. Support Status and Commercial status and more
- A CISA Secure by Design Software Acquisition Guide spreadsheet showing adherence to Secure by Design and Secure by Default principles and practices ( https://cisa.gov/sag)
- A final risk assessment report (on request only)
Examples of these artifacts can be seen online at GitHub: https://github.com/rjb4standards/CISASAGReader
Any indication that these artifacts will not be sufficient to satisfy EU-CRA obligations would also be useful information to know.
Any feedback will help to provide clarity.
Hello Dick,
Looking into article 24 it seems to me that the list you have is way more than will be required from a steward. It looks more like a list of the manufacturer.
From my understanding stewards should:
- put in place a security policy that includes vulnerability handling policy (you do not have it on the list, but it is a logical dependency)
- cooperate with market surveillance (on request)
- reporting of incidents if the steward is involved in development (if it is serious and they are aware? )
What do others think?
Kind regards,
Marta
